NORTHWEST PIPE CO 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

NORTHWEST PIPE CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:09:10 EST.

Filings

10-K filed on 2025-02-27

NORTHWEST PIPE CO filed a 10-K at 2025-02-27 16:09:10 EST
Accession Number: 0001437749-25-005465

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We believe that cybersecurity is a critical part of our overall risk management profile, which is supported by both our management and our Board of Directors. We believe that we face the same external threats common to other participants in the infrastructure sectors, which include ransomware and malware attacks in addition to the risks brought on through the vendor supply chain. Through the leadership of our Vice President of Information Technology, who reports to our Chief Financial Officer, we continuously assess these threats and evaluate our landscape for new vulnerabilities, considering both for their probability of occurrence as well as their perceived potential impact. We supplement our risk assessment processes with robust third-party identification tools which we review routinely through the use of intrusion prevention and detection systems. We supplement our internal procedures with third parties, who routinely assess our network infrastructure for vulnerabilities both internal and external to our firewall. We also conduct periodic training and awareness programs for all of our employees with systems access in order to drive adoption and awareness of their critical roles in cybersecurity processes and controls. The pace of change in approaches undertaken by cyber criminals requires that we strive for continuous improvement and constant monitoring of the broader landscape. In 2024 we adopted the cybersecurity framework of the National Institute of Standards and Technology (“NIST”), and worked to assess our adoption of the NIST cybersecurity framework against a group of peers. We believe that continued evaluation by external experts is the best means to ensure both the design and operational effectiveness of our cybersecurity policies, internal controls, and standards. Furthermore, these periodic reviews are critical to evaluate that we have the right people, technology, and processes to identify, prevent, and detect the activities of bad actors who desire to challenge the system continuity and functionality of the information technology we depend on to operate our business. In addition to our prevention efforts, we also prepare for criminal infiltration through the evaluation of our incident response plan including table top exercises, which helps us assess our ability to react timely and effectively to various degrees of cybersecurity incidents. We believe our plan is well-designed and capable to manage an unforeseen breach including the eradication of the infiltrator from our networks. We carry cyber insurance to transfer the residual risk of an incident. We also work with our cyber insurance carrier to regularly refine our response procedures, which include the definition of internal and external communications channels to key stakeholders, as well as the identification of material breaches and the associated incident reporting up to senior management and our Board of Directors. Our Board of Directors has charged the Audit Committee with the governance and oversight of this risk. Our committee charter requires quarterly reporting to our Audit Committee by our Vice President of Information Technology covering key cybersecurity accomplishments, planned enhancement activities, and monitoring observations of the threat environment. Board experience in risk assessment has been enhanced with certification achievements specific to cybersecurity risk, providing us with the appropriate oversight for this evolving threat. As of the date of this report, we are not aware of any material breaches to our networks or computer systems that have materially affected or are reasonably likely to materially affect our execution of our business strategy, results of operations, or financial condition. We describe potential risks from cybersecurity threats under the heading “Our information technology systems can be negatively affected by cybersecurity threats,” in Part I - Item 1. “Risk Factors” of this 2024 Form 10-K, which disclosures are incorporated herein by reference.

Company Information